In computer networks with remote networking devices such as routers and switches and, in particular, Cisco routers and switches, it is useful to attach a modem to the console port or auxiliary port of the remote networking device in order to provide “out-of-band” access to the device console for remote management. In this context “out-of-band” refers to providing connectivity to the console port through means other than through the primary data network of which the networking device is a part. For instance, the alternative connectivity could be a Public Switched Telephone Network (PSTN) as shown in FIG. 1. Some of the uses of this “out-of-band” access include allowing an engineering group to initially configure the networking device through this access and using the connection for ongoing maintenance activities. Password Recovery on a Cisco router also requires connectivity to the console port. The “out-of-band” access via the modem can also be used during diagnostic procedures when there is an issue with the networking device's primary data network connectivity possibly isolating the device from the primary network. Visibility to the entire site may have been lost. The lack of or improper functioning of an “out-of-band” connection can significantly increase the mean-time-to-repair (MTTR) for a site. When visibility to a remote site is lost, it is useful to determine if there is still power at the site as part of the problem determination procedures. One way to do this is to call the modem attached to the networking device. If the modem answers then there is power at the site. Then the modem can be used to access the networking device to try to determine if the problem is with the router, the switch, the Data Service Unit (DSU), the local loop, or some other element in the primary network.
However, there are also risks involved with placing a modem on the console port of a networking device, including Cisco devices. First, any perimeter security for the network, such as firewalls and access-lists, has just been completely bypassed providing a vulnerable point for intruders to attack. The Router Security Configuration Guide published by the National Security Agency indicates on page 47 says, “Permitting direct dial-in to any vital piece of network infrastructure is potentially very risky . . . ” and on page 49, “It is okay to leave a connection to the console port attached all the time, but that terminal (or computer) should be standalone, and protected from unauthorized access.” If an attacker knows or can determine the phone number of the modem then the only security is the logon protection on the networking device itself.
A typical scenario for centrally managed login and privileged mode access control to a Cisco router either via the console or auxiliary (AUX) port or via the in-band network using telnet would use an Access Control Server (ACS) and either the Remote Authentication Dial-In User Service (RADIUS) protocol or Terminal Access Controller Access Control System (TACACS+). Note that the password travels in the clear between the remote user and the router either over the telnet connection or over the connection from the user to the console port. The password can be encrypted between the router and the ACS. FIG. 2 illustrates the typical steps in logging into the router or attempting to enter privileged mode as itemized below:                a. The user connects to the router either by dialing into the console port or by telnet to the router.        b. The router informs the ACS of the attempted connection and the ACS has the router issue a userid prompt.        c. The user returns the userid and the router passes the userid to the ACS.        d. The ACS has the router issue a password prompt.        e. The user enters the password (which travels as clear text between the user and the router) and the router passes the password to the ACS (can be encrypted between the router and the ACS).        f. The ACS compares the userid and the password with its database and if the password is the correct password for the userid the ACS informs the router.        
Another authentication scenario often used for dial-in security at a network perimeter is a challenge handshake with central authentication and authorization using the radius protocol to communicate with the ACS. This is illustrated in FIG. 3. Note that the shared secret string or password shared between the ACS and the remote user is never communicated over the network during authentication. Here are the steps that would be typical when a remote user is attempting to connect into the network and the network wants to authenticate/authorize the remote user:                a. The remote user dials into the Network Access Server (NAS) via PSTN or Integrated Services Digital Network (ISDN)        b. The NAS (or the ACS via RADIUS) issues a prompt for the userid and after getting the userid issues a prompt for a password.        c. The NAS has the ACS via RADIUS verify the userid and password. If they are authenticated then the NAS (or ACS via radius) issues a challenge in the form of a generated random number.        d. The remote user has access to a calculator or method of encrypting the random numbers that is configured with a shared secret string (shared with the ACS).        e. The remote user uses the calculator to encode the challenge to come up with what is essentially a one-time password (OTP) based on the random number.        f. The remote user responds to the challenge from the NAS with the OTP.        g. The NAS passes the OTP to the ACS via radius and if the ACS agrees that the challenge was properly encoded with the shared secret string that the ACS shares with the remote user then the remote user is authenticated. The ACS can also inform the NAS via radius about what activities the user is authorized for.        
Another complication with connecting to the console port of a router or switch is that the router or switch typically is not aware of the status of connections to the modem. If a user is dialed into the console and hangs up or is somehow disconnected from the modern without logging out of the networking device, another call can come into the modern and the new caller will inherit all the privileges of the previous caller without even having to log in. On page 49, the Router Security Configuration Guide says, “The connection to the console port should not be left logged in. Configure the console line to time out, so that if an administrator forgets to log out, the router will log him or her out automatically”, but this still leaves a window of opportunity for an attacker. Also, if the networking device is using some form of centralized authorization and/or authentication of users for access to the networking device such as that described above and the networking device has lost connectivity to the ACS, then the networking device will not be able to use the centralized authentication method to authenticate and authorize the user. Typically, in this situation, the networking device reverts to an alternative method of authorization such as a global (enable) password that is generally less secure that the centralized authentication of users. If an attacker knows the global password and there is a network outage or the attacker can perform a denial-of-service attack on the ACS then the device is very vulnerable.
An attacker could also perform a denial-of-service attack on the console port as well. Even if an attacker does not have the credential to be authorized to the port connected to the modem they can dial that port repeatedly tying up the line and denying its use to an authorized user.
Even with these risks, some network administrators will still put modems on the console ports of networking devices in the network. For them, the utility of having the modem on the networking device outweighs the risks, even though they would rather not have the risks. Other network administrators have made the choice of using modems that require a user name and password or require unique tokens be generated or the use of smart cards. Typically it is only the top of the line moderns that provide this feature and even then they are limited with respect to the number of users that can be configured and the administration of the user names and passwords is such a nightmare that often only one user name and password gets configured and everybody uses the shared password. In large enterprise networks the most frequent decision is that the risks are too great and as useful as the moderns on the console ports would be, they will not be allowed. The only place they will allow modems is on Network Access Servers (NAS) where strong authentication and authorization can be performed.
Even when a modem is placed on the console port of a networking device, such as a router, it is not always clear that the modem and analog line were working correctly prior to a network outage. Therefore, if the modem does not answer during problem determination, it is not as strong an indicator as one would like, that the site has lost power. It could be that some portion of the “out-of-band” connection has malfunctioned or been disconnected previously without being detected. Also, if the modem or analog line is not working correctly, a valuable tool that has been shown to shorten MTTR has been lost. If there is a problem with the “out-of-band” path it needs to be found and corrected before there is an outage in the primary network, not when there is an outage. It is important to be able to quickly determine if a site has lost power.
Another difficulty with the “out-of-band” connection, particularly when connecting to Cisco devices, is the configuration and management of the modem. A modem can often be configured by having the Data Terminal Equipment (DTE) it is attached to send it commands (often using some variation of the AT command set). However, the console port on many Cisco devices will not allow you to enter these configuration commands to the modem. This could result in a technician needing to be dispatched if a modem's configuration has been scrambled or the modem needs to be reconfigured. Dispatching a technician could cost more than the modem.
To get around this problem, some network administrators have connected the modern to the networking device's AUX port rather than the console port. If the modem is connected to the AUX port on a Cisco router it is often possible to do a “reverse telnet” to get to the modem and change the settings (for instance using the AT command set). Also, with certain configurations, the AUX port can detect when a remote user hangs up or is disconnected and is therefore not as vulnerable to the security hole of allowing the next caller to inherit the privileges of the previous caller. Unfortunately, some tasks, such as password recovery, require a connection to the counsel port of the networking device. When the modem is connected to the console port a technician can remotely recover the password though password recovery usually requires someone local to the networking device to turn the power for the device off and then back on. It would be useful to be able to perform password recovery without requiring a person to “cycle” the power to the networking device. Also, when the modem is connected to the console port, the remote technician can receive status messages of the boot process for the equipment but they do not receive this information from the auxiliary port.
An additional vulnerability for the “out-of-band” connection is eavesdropping. The information from the user to the networking device is traveling over the alternate connection in the clear. For instance, if an analog telephone line is being used and the line is tapped, the eavesdropper would be able to see all the information traveling between the user and the networking device. Often, this can include the device configuration including the passwords. Even in the situation where a modem is being used that requires a user name and password, some protocols will allow that user name and password to be captured.
Problem isolation and determination would be enhanced if the technician also had “out-of-band” access to the console ports of several networking devices at a site such as the DSU, probes, sniffers, switches, power managers, etc. However, not only is the capital cost of the modems for each of these console ports an issue, but there would also be the operational costs of the analog lines for each of these devices. In general, the benefits have not been seen to be worth the cost.
An object of the invention is to provide a system for remotely managing a computer network.
Another object of the invention is to provide a system for remotely managing a computer network which provides improved security for authenticating, authorizing and controlling use of the network by remote users.
Another object of the invention is to provide a system for remotely managing a computer network which allows for remote management and configuration by network administrators.
Another object of the invention is to provide a system for remotely managing a computer network which monitors network connections and analog connections and provides status updates.
Another object of the invention is to provide a system for remotely managing a computer network which monitors network connections and analog connections and provides notices if either connection is lost.
Another object of the invention is to provide a system for remotely managing a computer network which can encrypt communications between the network and a remote user.
Another object of the invention is to provide a system for remotely managing a computer network which monitors the network power supply and provides status updates.
Another object of the invention is to provide a system for remotely managing a computer network which monitors the network power supply and provides notice if the power supply fails.
Another object of the invention is to provide a system for remotely managing a computer network which monitors connections for possible attacks and reports possible attacks to Intrusion Detection System management software.
Yet another object of the invention is to provide a system for remotely managing a computer network which can remotely interrupt power to a device connected to the computer network.
Yet another object of the invention is to provide a system for remotely managing a computer network which monitors connection attempts made through the analog connection.
A further object of the invention is to provide a system for remotely managing a computer network which can selectively block connection attempts made through the analog connection means.
Finally, it is an object of the present invention to accomplish the foregoing objectives in a simple and cost effective manner.